Firefox unsafe?

Some news I read make me angry, others make me laugh... and then there are those who would make me laugh if it weren't so very sad... or at least make me shake my head.

One of those I read today. It was not the article itself who make me feel that way but the content / information it referred to. There's one thing that disturbed me about the article itself too though: how generalising it's heading was, implying a result of a specific company's study as commonly known truth while the study itself is ANYTHING but fair and unbiased. But I'll come back to that in the end of my post.

The article referred to a study conducted by "Bit9", who found Mozilla Firefox the "most unsafe application of 2008". That itself sounds rediculous enough. The reason was that this year, 10 critical errors were detected in Firefox. They weighted programs more severely the more they are used. And since Firefox is pretty wide-spread, it's more understandable it ended up that high in the list. I could now put up reasons like why it is always stupid and nonsense to simply judge the security of programs just by the number of errors, without regarding how fast fixes for those errors are released, how severe the possible or actual consequences of those errors are and how easily those errors are abusable by others. The one thing that left me baffled and speechless at first was the line near the end of the article, that was clearly added later on as an "update", saying (translated from german): "The study of Bit9 refers only to products that aren't automatically kept up-to-date via Microsoft's automatic update-service. A comparism with the Internet Explorer is therefore not fisable"

WTF?? What kind of study is this? We are putting together a list of the most unsafe Windows-applications but applications by Microsoft are not taken into account? What value does such a study have? NONE, exactly! You can't use these results since they are unrealistic, biased and simply not true! With the recent Zero-day exploit for the IE in the wild right now, how can you even regard a statistic like that as useful in any way? Non-Microsoft applications often have their own update-services integrated, especially Firefox. And that one is surely patched way quicker than the IE if a critical error arises. It is like conducting a study about which cars are most unsafe, but omitting cars made by Mercedes from the statistics completely since their cars have regularely scheduled service intervals every year paid for by the company itself (that's not the case of course for Merc, but you catch my drift).

I wonder if Bit9 was paid off by Microsoft or if they are just that ignorant without seeing any money for it. Either way, I hope there are no "officials" somewhere actually giving a crap about that study and use it as a base for their decisions. Look at the facts and at reality around us in the networking-work, and you'll have your truth.

And to the author of the news-entry at Spiegel Online: Your heading was misleading, if not wrong. It said "Firefox most unsafe application of 2008". It should've said at least "Study finds Firefox most unsafe application of 2008". Or even more closer to the truth: "Study finds Firefox most unsafe non-Microsoft windows application of 2008".